After an unprecedented year when enterprises were forced to take a quantum leap on cloud computing and remote work exploded, it’s no surprise that the majority of enterprise workloads are now running in multiple clouds. This rapid cloud migration is creating a whole new set of security challenges around managing identities and data access to your organization’s cloud resources. Studies have shown this is where security failures happen — when the combinations of identities, access, and privileges break down. Gartner forecasts this breakdown will account for about three-quarters of security incidents in the cloud by 2023.
The ephemeral and complex nature of the cloud makes traditional security perimeters insufficient. The cloud needs a new perimeter — identity. Unfortunately, the complexity of the cloud infrastructure and cloud provider identity and access management (IAM) tools make it exceptionally challenging to determine who — or what — has access to a cloud resource. In this rapid migration, enterprises have turned to IAM solutions to safely operate their workloads in the cloud. However, security teams may not truly understand the risk involved with managing to least privilege and least access when identities are the perimeter.
With this lack of cloud security education, it is easy to make an identity configuration mistake. Too frequently just one major misconfiguration is needed to do damage. In other cases, it is a series of smaller misconfigured privileges that will lead to a tidal wave of significant data breach and exploitation risk. Even low-hanging fruit can escalate to an entire cloud takedown. So how does an identity get misconfigured?
Misconfigured Identities often go unnoticed and/or unmitigated. Many enterprises overlook the Shared Responsibility Model for their Cloud Service Provider (CSP) and assume that security is taken care of completely by the CSP. Over time, teams can lose sight of the risk associated with data access as an Identity becomes misconfigured. And others assume the IAM solution they are using is complete. But the IAM solution defects are difficult to detect and all too often they go unnoticed until it’s too late.
Understanding effective permissions and identifying risks across hundreds of roles, thousands of pieces of compute, and different CSPs can be a challenge. AWS defines effective permissions as “the permissions that are granted by all the policies that affect the user or role.” Simply put, it is the true picture of what your Identity can do and what it can access.
Moving quickly, developers may seek ways to gain access outside of their effective permissions, linking particular areas of role rights and resources resulting in a toxic combination — a prevalent issue and potential blind spot for security. The gradual accumulation of unneeded permissions by an Identity can lead to disastrous results. To avert this, security must dig deep within their cloud ecosystem and uncover trust relationships with effective permissions that are causing toxic combinations, then safeguard against them by applying policies that restrict unnecessary access.
Misconfigured Identities assume many forms, with one prominent example being trusted roles. Under the misconfiguration, every user within a cloud platform has unguarded access to these roles, and the permissions attached to them. For instance, every account has immediate access to EC2, S3, and KMS within AWS. With this type of misconfigured Identity, a bad actor can move through the cloud environment and obtain full access to sensitive data.
Identity compromise and privilege escalation have been, are now, and will continue to be an issue for those unfamiliar with the new perimeter or those without end-to-end visibility in their cloud. Least privilege and least access, an already tricky practice become nearly impossible in the face of the scale, scope, and ephemeral nature of cloud environments.
Methods of Cloud Account Exploitation of Misconfigured Identities
Misconfigured Identities make your environment easy for bad actors to breach. Jay Gazlay, a technical strategist at the Cybersecurity and Infrastructure Security Agency, said in a recent article, “Instead of going after these data holdings, they’re going after the identities that give them access to all the data holdings — much broader campaigns. That makes trust store and identity management compromise much more impactful, and frankly, a much higher target. As we move into a cloud infrastructure where all that matters is the expectation that you are who you say you are, to get access to cloud infrastructures, this becomes even more pernicious.”
According to another recent article from Forbes, a survey stated 74% of data breaches start with abuse of access. Misconfigured identities lead to account vulnerabilities that lead to access that enable bad actors to launch various organized attacks on precious enterprise resources. Malicious parties may manipulate account misconfigurations through systematic methods and processes, like these:
Reconnaissance and Enumeration
Many role names are short and predictable. As a result, by trial and error, bad actors locate a misconfigured role by attempting various permutations (e.g., prodApp-nat, prodApp-app2-nat).
Procure Temporary Access
The actor could acquire a temporary access token linked to a misconfigured role. Malicious parties may use the access token to enumerate permissions and discover accessible resources.
Assess VM Instances
They will have access to view VM instances and exploit attached metadata. The malicious parties can obtain valuable information, including Docker images, database queries, and accessed resources. In other cases, they will use the instance themselves, which has its own Identity, as an attack vector. This was the case with a very well-known data breach in the financial sector.
Malicious parties may access the S3 buckets to download and manipulate confidential data such as certificate keys, application shell scripts, and encrypted files with privileged credentials. Alternatively, they can delete the data or encrypt it to make it unusable.
Hackers can utilize the AWS KMS decrypt capability attached to the misconfigured role to convert the encrypted credentials within the S3 buckets into plaintext.
Engage in Full-on Cloud Infiltration
The acquired plaintext credentials provide unauthorized parties with a “master key,” enabling them to move laterally and access the Docker Hub repository, Splunk, and databases, gaining control of enterprise resources.
Identity is the New Perimeter
When identity becomes the security perimeter as it does in the cloud, then not only getting to but maintaining the least access is fundamental to protecting your cloud. Not every account needs unlimited access to your environment, not even admins. So the ability to grant granular access controls and permissions — based on who has access, to what they have access, how they can access, and when — is important.
If your organization doesn’t have complete and continuous visibility of the Identities in your cloud, and their effective permissions, then how can you effectively protect your cloud and the data that resides within it? Therefore, managing both human and non-person identities, and their access to cloud resources is fundamental to information security for any organization.
The role of identity security and data security takes on an increased level of importance in the cloud. So what can you do to prevent a misconfigured identity and enforce the least access to data?
Avoid Misconfiguring Identities By Using The Right Tools
Enterprises can reduce the risks of misconfigured Identities by keeping users well-informed of what’s under the hood regarding the latest cloud practices and regulations. However, for truly effective deterrence against these risks, enterprises should consider implementing a cloud security solution that continuously monitors every identity (human and non-human), their effective permissions, and data access privileges to maintain the principle of least privilege. This means any mistakes or drift from policies is caught straight away.
Sonrai Security delivers an enterprise identity and data governance platform for AWS, Azure, Google Cloud, and Kubernetes. Sonrai Security chains together all the different identities, permissions associated with them, and trust relationships to surface misconfigurations through many layers of identity. The Sonrai Dig platform is built on a patented, sophisticated graph that identifies and monitors every possible relationship between identities and data that exists inside an organization’s public cloud. Taking into consideration the numerous constituents involved in managing operational risk, Dig’s Operations Automation Engine automates workflow, remediation, and prevention capabilities across cloud and security teams to ensure end-to-end security. Dig enables the safest practices by sustaining identity governance through a detailed graphing technology that de-risks cloud environments without exceptions.
Eliminate risks at the speed of the cloud with Sonrai Security as your trusted ally.